gohorsejobs/.forgejo/workflows/deploy.yaml

name: Deploy Backend and Backoffice Dev

on:
  workflow_dispatch:
  push:
    branches: [dev]

env:
  REGISTRY: pipe.gohorsejobs.com
  IMAGE_NAMESPACE: bohessefm

jobs:
  build-and-push:
    runs-on: [self-hosted, linux-amd64]
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Docker Login
        run: |
          echo "${{ secrets.FORGEJO_TOKEN }}" | docker login ${{ env.REGISTRY }} \
            -u ${{ env.IMAGE_NAMESPACE }} --password-stdin          

      - name: Build & Push Backend
        run: |
          # Build usando SHA para imutabilidade e latest para conveniência
          docker build -t ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/gohorsejobs:${{ github.sha }} \
            -t ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/gohorsejobs:latest ./backend
          docker push ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/gohorsejobs:${{ github.sha }}
          docker push ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/gohorsejobs:latest          

      - name: Build & Push Backoffice
        run: |
          docker build -t ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/backoffice:${{ github.sha }} \
            -t ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/backoffice:latest ./backoffice
          docker push ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/backoffice:${{ github.sha }}
          docker push ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/backoffice:latest          

  deploy:
    needs: build-and-push
    runs-on: [self-hosted, linux-amd64]
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Install kubectl
        run: |
          apk add --no-cache curl
          curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
          chmod +x kubectl
          mv kubectl /usr/local/bin/          

      - name: Configure Kubeconfig
        run: |
          mkdir -p ~/.kube
          echo "${{ secrets.KUBECONFIG }}" > ~/.kube/config
          chmod 600 ~/.kube/config          

      - name: Sync Secrets and Vars
        run: |
          kubectl create namespace gohorsejobsdev --dry-run=client -o yaml | kubectl apply -f -

          # Sincroniza Registry Secret
          kubectl get secret forgejo-registry-secret --namespace=forgejo -o yaml | \
          sed 's/namespace: forgejo/namespace: gohorsejobsdev/' | \
          kubectl apply -f - --force

          # Injeta variáveis (Lembre-se de mudar DATABASE_URL para sslmode=disable no Forgejo!)
          kubectl delete secret backend-secrets -n gohorsejobsdev --ignore-not-found

          # Prepare RSA key file if available (prefer secrets over vars)
          if [ -n "${{ secrets.RSA_PRIVATE_KEY_BASE64 }}" ]; then
            echo "Decoding RSA_PRIVATE_KEY_BASE64 from secrets"
            printf '%b' "${{ secrets.RSA_PRIVATE_KEY_BASE64 }}" > /tmp/rsa_key.pem || true
            # if it's base64-encoded PEM, decode it
            if base64 -d /tmp/rsa_key.pem >/dev/null 2>&1; then
              base64 -d /tmp/rsa_key.pem > /tmp/rsa_key_decoded.pem && mv /tmp/rsa_key_decoded.pem /tmp/rsa_key.pem || true
            fi
          elif [ -n "${{ vars.RSA_PRIVATE_KEY_BASE64 }}" ]; then
            echo "Decoding RSA_PRIVATE_KEY_BASE64 from vars"
            printf '%b' "${{ vars.RSA_PRIVATE_KEY_BASE64 }}" > /tmp/rsa_key.pem || true
            if base64 -d /tmp/rsa_key.pem >/dev/null 2>&1; then
              base64 -d /tmp/rsa_key.pem > /tmp/rsa_key_decoded.pem && mv /tmp/rsa_key_decoded.pem /tmp/rsa_key.pem || true
            fi
          fi

          # Create secret: if rsa file exists, create secret from file (robust); otherwise fallback to from-literal
          if [ -f /tmp/rsa_key.pem ]; then
            kubectl create secret generic backend-secrets -n gohorsejobsdev \
              --from-literal=MTU="${{ vars.MTU }}" \
              --from-literal=DATABASE_URL="${{ vars.DATABASE_URL }}" \
              --from-literal=AMQP_URL="${{ vars.AMQP_URL }}" \
              --from-literal=JWT_SECRET="${{ vars.JWT_SECRET }}" \
              --from-literal=JWT_EXPIRATION="${{ vars.JWT_EXPIRATION }}" \
              --from-literal=PASSWORD_PEPPER="${{ vars.PASSWORD_PEPPER }}" \
              --from-literal=COOKIE_SECRET="${{ vars.COOKIE_SECRET }}" \
              --from-literal=COOKIE_DOMAIN="${{ vars.COOKIE_DOMAIN }}" \
              --from-literal=BACKEND_PORT="${{ vars.BACKEND_PORT }}" \
              --from-literal=BACKEND_HOST="${{ vars.BACKEND_HOST }}" \
              --from-literal=ENV="${{ vars.ENV }}" \
              --from-literal=CORS_ORIGINS="${{ vars.CORS_ORIGINS }}" \
              --from-literal=S3_BUCKET="${{ vars.S3_BUCKET }}" \
              --from-literal=AWS_REGION="${{ vars.AWS_REGION }}" \
              --from-literal=AWS_ENDPOINT="${{ vars.AWS_ENDPOINT }}" \
              --from-literal=AWS_ACCESS_KEY_ID="${{ vars.AWS_ACCESS_KEY_ID }}" \
              --from-literal=AWS_SECRET_ACCESS_KEY="${{ vars.AWS_SECRET_ACCESS_KEY }}" \
              --from-file=private_key.pem=/tmp/rsa_key.pem \
              --dry-run=client -o yaml | kubectl apply -f -
          else
            kubectl create secret generic backend-secrets -n gohorsejobsdev \
              --from-literal=MTU="${{ vars.MTU }}" \
              --from-literal=DATABASE_URL="${{ vars.DATABASE_URL }}" \
              --from-literal=AMQP_URL="${{ vars.AMQP_URL }}" \
              --from-literal=JWT_SECRET="${{ vars.JWT_SECRET }}" \
              --from-literal=JWT_EXPIRATION="${{ vars.JWT_EXPIRATION }}" \
              --from-literal=PASSWORD_PEPPER="${{ vars.PASSWORD_PEPPER }}" \
              --from-literal=COOKIE_SECRET="${{ vars.COOKIE_SECRET }}" \
              --from-literal=COOKIE_DOMAIN="${{ vars.COOKIE_DOMAIN }}" \
              --from-literal=BACKEND_PORT="${{ vars.BACKEND_PORT }}" \
              --from-literal=BACKEND_HOST="${{ vars.BACKEND_HOST }}" \
              --from-literal=ENV="${{ vars.ENV }}" \
              --from-literal=CORS_ORIGINS="${{ vars.CORS_ORIGINS }}" \
              --from-literal=S3_BUCKET="${{ vars.S3_BUCKET }}" \
              --from-literal=AWS_REGION="${{ vars.AWS_REGION }}" \
              --from-literal=AWS_ENDPOINT="${{ vars.AWS_ENDPOINT }}" \
              --from-literal=AWS_ACCESS_KEY_ID="${{ vars.AWS_ACCESS_KEY_ID }}" \
              --from-literal=AWS_SECRET_ACCESS_KEY="${{ vars.AWS_SECRET_ACCESS_KEY }}" \
              --from-literal=RSA_PRIVATE_KEY_BASE64="${{ vars.RSA_PRIVATE_KEY_BASE64 }}" \
              --dry-run=client -o yaml | kubectl apply -f -
          fi          

      - name: Deploy to K3s
        run: |
          kubectl apply -f k8s/dev/ -n gohorsejobsdev
          
          # Vincula o deployment ao SHA específico para garantir que o Pull ocorra corretamente
          kubectl -n gohorsejobsdev set image deployment/gohorse-backend-dev backend=${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/gohorsejobs:${{ github.sha }}
          kubectl -n gohorsejobsdev set image deployment/gohorse-backoffice-dev backoffice=${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/backoffice:${{ github.sha }}
          
          # Força o restart para carregar os novos valores do secret backend-secrets
          kubectl -n gohorsejobsdev rollout restart deployment/gohorse-backend-dev
          kubectl -n gohorsejobsdev rollout restart deployment/gohorse-backoffice-dev
          
          # Aguarda estabilização
          kubectl -n gohorsejobsdev rollout status deployment/gohorse-backend-dev --timeout=120s